The Department of Justice continues is continuing it’s PR battle over the use of strong encryption. Their position is that strong encryption makes it much more difficult to investigate crimes because even with a warrant encryption locks everyone but the enduser out of the data. Therefore, more bad guys are getting away with their crimes. Law enforcement’s mission is to investigate crimes, gather evidence, arrest suspects and present their findings to prosecutors to lock away the criminals. Anything that significantly hinders that mission is a problem with serious impacts on society. Their solution is that a master key must be created/provided to unlock all encryption once a warrant has been obtained. However, this idea has significant problems associated with it that also have serious impacts on society.

The rational behind this argument is understandable, but their solution frankly stinks. Let’s look at mobile devices for instance. This is probably one of the major areas that law enforcement wants addressed. Everyone carries their phone with them constantly and people are constantly recording their activity on them; even moments that they probably shouldn’t. There is a high likelihood that evidence could be available on these devices. But the BBC News reported last week that the FBI was unable to unlock about 7,000 mobile devices over an 11 month period. Ouch! So they appear to see an engineering solution to this problem. “You guys built cryptography. Just build new cryptography that allows us to get in later. It can’t be that hard.”

Perhaps this could be done, but what could happen if laws were passed that required manufactures to build in master keys to unlock devices? First, anyone who has worked in with encryption in any kind of rigorous manner can tell you key management is hard. How do you store the keys? Who has access to them? How do you prevent unauthorized use or disclosure? Can the federal government be trusted to do this well? A quick look at Shadow Brokers and WikiLeaks tells me no, they cannot and that I don’t think anyone can. Not at this scale. Even if manufacturers held the keys in escrow, the same problems exist but are just spread out a little more. These keys would become a prime target for countries to gain access to for surveillance. Countries like China who are actively monitoring their population would demand access to these keys and manufacturers would be hard pressed not to turn them over. “You gave them to the USA. Now give them to us.”

I get law enforcement’s desire to be able to unlock encrypted communications and data on devices, but their solution is not realistic. “Master keys” would be targeted and compromised. And once out of the bottle, it would be nearly impossible to lock it back down. Their solution for this type of weak encryption would almost certainly result in more surveillance and more data theft. They would enable a new level of criminal activity, put more people and organizations at risk and do so by ignoring the expertise people who actually know what encryption takes to make it effective. My opinion is that they create more problems than they solve.